yzy2

Security checks across malware telemetry and agentic risk

Overview

This PDF parser is useful, but it sends PDF text to Moonshot's AI API without clearly telling users in the skill instructions.

Install only if you are comfortable sending the first part of each selected PDF to Moonshot's API under your MOONSHOT_API_KEY. Avoid confidential, unpublished, licensed, or personal documents unless that third-party processing is acceptable, and consider pinning dependencies before use.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (5)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 87% confidence
Finding: The skill declares no permissions, yet the surrounding analysis indicates it uses environment-based secrets (e.g. an API key) and external service capabilities. This creates a transparency and trust problem: operators and users cannot accurately assess what data access or outbound behavior the skill requires, increasing the risk of unintended secret use or hidden data transfer.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 96% confidence
Finding: The declared behavior says the skill extracts metadata from a PDF, but the analyzed behavior indicates it sends PDF content to a third-party AI service using a remote API. That mismatch is dangerous because users may supply sensitive or copyrighted documents under the assumption of local-only processing, causing unanticipated data exfiltration and compliance/privacy exposure.

Description-Behavior Mismatch

Medium

Confidence: 97% confidence
Finding: The skill transmits extracted PDF text to a third-party AI service even though its stated purpose suggests local PDF metadata extraction. This creates a real data exposure risk because academic PDFs may contain unpublished, licensed, or sensitive content, and users are not clearly informed that document contents leave the local environment.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The code reads an API key from the environment and initializes a remote client for a task described as PDF parsing, introducing undisclosed network dependency and external data handling. While not credential exfiltration by itself, it expands the trust boundary and can cause sensitive document text to be processed by an external provider without necessity or clear justification.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The request to the external API includes PDF-derived text, but the code gives no user-facing warning that document contents will be uploaded. This is dangerous because users may reasonably expect a parser to operate locally and may unknowingly expose confidential research, proprietary manuscripts, or personal data embedded in PDFs.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal